Someone was able to hack my mail account

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Please if anyone knows how to stop this with postfix and amavisd-new please let me know !!! 

I am clueless how someone outside $mynetworks was able to do it.

Here is the log:

Dec 10 15:14:35 mail dovecot: auth(default): new auth connection:
pid=23648
Dec 10 15:14:37 mail dovecot: auth(default): new auth connection:
pid=23649
Dec 10 15:14:37 mail postfix/smtpd[23649]: connect from
165.Red-88-26-49.staticIP.rima-tde.net[88.26.49.165]
Dec 10 15:14:38 mail postfix/smtpd[23649]: NOQUEUE: filter: RCPT from
165.Red-88-26-49.staticIP.rima-tde.net[88.26.49.165]:
<atienoalice@xxxxxxxxxxxxxx>: Sender address triggers FILTER
amavisfeed:[127.0.0.1]:10024; from=<atienoalice@xxxxxxxxxxxxxx>
to=<support@xxxxxxxxxxxxxx> proto=ESMTP helo=<windowsb894c86>
Dec 10 15:14:39 mail postfix/smtpd[23649]: 985869EAA9:
client=165.Red-88-26-49.staticIP.rima-tde.net[88.26.49.165]
Dec 10 15:14:40 mail postfix/cleanup[23653]: 985869EAA9:
message-id=<001501ca79dd$cc8a4ef0$7f000001@windowsb894c86>
Dec 10 15:14:40 mail postfix/qmgr[2538]: 985869EAA9:
from=<atienoalice@xxxxxxxxxxxxxx>, size=917, nrcpt=1 (queue active)
Dec 10 15:14:40 mail postfix/smtpd[23649]: disconnect from
165.Red-88-26-49.staticIP.rima-tde.net[88.26.49.165]
Dec 10 15:14:41 mail dovecot: auth(default): new auth connection:
pid=23658
Dec 10 15:14:41 mail postfix/smtpd[23658]: connect from
localhost.localdomain[127.0.0.1]
Dec 10 15:14:41 mail postfix/smtpd[23658]: 3D8869EAAC:
client=165.Red-88-26-49.staticIP.rima-tde.net[88.26.49.165]
Dec 10 15:14:41 mail postfix/cleanup[23653]: 3D8869EAAC:
message-id=<001501ca79dd$cc8a4ef0$7f000001@windowsb894c86>
Dec 10 15:14:41 mail postfix/smtpd[23658]: disconnect from
localhost.localdomain[127.0.0.1]
Dec 10 15:14:41 mail postfix/qmgr[2538]: 3D8869EAAC:
from=<atienoalice@xxxxxxxxxxxxxx>, size=2621, nrcpt=1 (queue active)
Dec 10 15:14:41 mail postfix/smtp[23654]: 985869EAA9:
to=<support@xxxxxxxxxxxxxx>, relay=127.0.0.1[127.0.0.1]:10024,
delay=3.4, delays=2.1/0.02/0.01/1.3, dsn=2.0.0, status=sent (250 2.0.0
Ok, id=22280-12, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
3D8869EAAC)
Dec 10 15:14:41 mail postfix/qmgr[2538]: 985869EAA9: removed
Dec 10 15:14:41 mail spamd[2472]: spamd: connection from
localhost.localdomain [127.0.0.1] at port 33537
Dec 10 15:14:41 mail spamd[2472]: spamd: setuid to kevin succeeded
Dec 10 15:14:41 mail spamd[2472]: spamd: processing message
<001501ca79dd$cc8a4ef0$7f000001@windowsb894c86> for kevin:502
Dec 10 15:14:42 mail spamd[2472]: spamd: clean message (-98.2/5.0) for
kevin:502 in 1.2 seconds, 2731 bytes.
Dec 10 15:14:42 mail spamd[2472]: spamd: result: . -98 -
BAYES_50,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,STOX_REPLY_TYPE,USER_IN_WHITELIST
scantime=1.2,size=2731,user=kevin,uid=502,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=33537,mid=<001501ca79dd$cc8a4ef0$7f000001@windowsb894c86>,bayes=0.499810,autolearn=no
Dec 10 15:14:42 mail spamd[2460]: prefork: child states: II
Dec 10 15:14:43 mail postfix/local[23659]: 3D8869EAAC:
to=<kevin@xxxxxxxxxxxxxx>, orig_to=<support@xxxxxxxxxxxxxx>,
relay=local, delay=1.8, delays=0.47/0.01/0/1.3, dsn=2.0.0, status=sent
(delivered to command: /usr/bin/procmail)
Dec 10 15:14:43 mail postfix/qmgr[2538]: 3D8869EAAC: removed
the amavisd-new log just shows that it was passed. The ip address: 88.26.49.165 is not in $mynetworks and I am confused how it allowed it to send. I really don't want anymore email going out of my server as spam. Also, I don't have a user with atienoalice@xxxxxxxxxxxxxx email address. 



This is the message headers:

Start of headers --

From - Thu Dec 10 15:18:06 2009
X-Account-Key: account2
X-UIDL: 000070314a016525
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys: 
Return-Path: <atienoalice@xxxxxxxxxxxxxx>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail.kevinslair.com 
X-Spam-Level:
X-Spam-Status: No, score=-98.2 required=5.0 tests=BAYES_50,RCVD_IN_PBL,
RCVD_IN_SORBS_DUL,STOX_REPLY_TYPE,USER_IN_WHITELIST autolearn=no version=3.2.5 
X-Original-To: support@xxxxxxxxxxxxxx
Delivered-To: support@xxxxxxxxxxxxxx
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mail.kevinslair.com (Postfix) with ESMTP id 3D8869EAAC
	for <support@xxxxxxxxxxxxxx>; Thu, 10 Dec 2009 15:14:41 -0500 (EST)
X-Amavis-Modified: Mail body modified (using disclaimer) - mail.kevinslair.com 
X-Virus-Scanned: amavisd-new at kevinslair.com
Received: from mail.kevinslair.com ([127.0.0.1])
	by localhost (mail.kevinslair.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id cMKr6GHgfe-F for <support@xxxxxxxxxxxxxx>;
	Thu, 10 Dec 2009 15:14:40 -0500 (EST)
Received: from windowsb894c86 (165.Red-88-26-49.staticIP.rima-tde.net [88.26.49.165]) 
	by mail.kevinslair.com (Postfix) with ESMTP id 985869EAA9
	for <support@xxxxxxxxxxxxxx>; Thu, 10 Dec 2009 15:14:38 -0500 (EST)
Message-ID: <001501ca79dd$cc8a4ef0$7f000001@windowsb894c86>
From: "Atieno Alice" <atienoalice@xxxxxxxxxxxxxx>
To: <support@xxxxxxxxxxxxxx>
Subject: First class male desire promotion, Heat up your intimating
Date: Thu, 10 Dec 2009 21:14:36 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	format=flowed;
	charset="koi8-r";
	reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-Spam: Not detected
X-Mras: Ok

Bring harmony in your night in-outs, Bone-on to be prolonged.

http://profiles.yahoo.com/blog/CKQKWB7FSAAT4LWZ7UQGKDUGUA

END of headers --

Please someone help !!!!

Thanks,
Kevin


Mail Service Provided by:
Kevins Lair, Ent
mailto:kevin@xxxxxxxxxxxxxx

_________________________________________________________________________________

Think before you print.
This message and any attachments may contain information that is protected by law as privileged and confidential, and is transmitted for the sole use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any use, dissemination, copying or retention of this e-mail or the information contained herein is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by e-mail, and permanently delete this e-mail. 


All outgoing e-mail is scanned for virus and potentially hazardous material

_________________________________________________________________________________



--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux